Shifts as a result of technological revolution in communications and information exchange: (Noblett et al, 2000)
Manufacturing goods processing information
Paper trails electronic trails.
Traditional crimes technologically committed crimes.
Tangible evidence electronic evidence
What is Evidence?
Proving that Transactions have taken place, that Documents exists, that Events have occurred.
Y we need evidence?
• As part of major incident recovery
• To respond to minor incidents in which there is a need for proof
• To be able to tackle prospective legal problems
Claims against us
Claims we wish to make against others
• To assist law enforcement
• to assist law enforcement in criminal and anti-terrorist investigations;
• to meet disclosure requirements in civil claims;
• to support insurance claims after a loss.
• proving transaction has taken place
• proving that a document
was created at a specific time
has a specific, identifiable author
• demonstrating that an e-identity corresponds to a specific individual or legal entity
• in allegations of employee misbehaviour
• fraud - how do we prove?
• data damage - how do we prove?
• contractual disputes - what evidence?
• breach of confidentiality - what evidence?
• copyright - what evidence?
• defamation - what evidence?
• Data Protection offences - what evidence?
• industrial / Official Secrets - what evidence?
• breach of Companies Act obligations - what evidence?
• email and Internet abuse;
• acquisition and storage of pornographic and paedophiliac material;
• theft of source code and software piracy;
• ―phishing‖, where someone is induced to give away important confidential information to a fake website –
businesses may either lose information in this way or find that their own website is being mimicked by phishers;
• denial of service and terrorist-motivated attacks
Potential sources of evidence
Main transaction and business records
Logs - Access control logs, Activity logs, Anti virus logs, intrusion detection log, Telephone logs
Data media, back up media
• Law depends on evidence that can be located and proved
• how the courts and legal system will regard it
• Evidence obtained from computers which would be readily accepted on a ―commonsense‖ basis may be rejected
by the courts
• Reliability of intended computer records
• Reliability of forensically located and recovered data
• Law may have difficult in coping with cyber-environments and ―intangibles‖
• legal rules of admissibility may prevent presentation of evidence
certification of normal working
fairness in evidence acquisition
• A ―specification‖ problem
―find out what the lawyers want, put it into the specification…‖
• A ―legal‖ problem
Do we need to change the law to ―appreciate‖ information technology?
Do we need to change court procedures to assist understanding of technical matters?
• A ―social science‖ problem
How are non-specialists persuaded to accept ―technical‖ evidence?
In general, evidence may be:
real – an object which can be brought to court and examined on the spot;
testimonial – the eyewitness observations of someone who was present and whose recollections can be tested before
documentary – a business or other record in any form which, once its authenticity has been proved, can be examined for
technical – where a forensic technician has carried out some procedures on original ―real‖ evidence and has produced
some results. Technical evidence, in the eyes of the court, is not the same as expert evidence, which also includes giving
expert – the opinions of someone who is expert in a particular field and/or the conclusions of that expert after carrying out
a specific investigation;
derived – a chart, video, etc. created from primary evidence to illustrate how certain conclusions might be drawn.
Evidence presented in court has to satisfy tests which fall into two main categories, admissibility and weight.
For evidence to be admissible, it must satisfy certain purely legal tests of acceptability. The best known of the admissibility
the “hearsay” rule, which excludes reports of reports;
the “fairness in evidence acquisition” rule, which grants discretion to judges to exclude material obtained, for
example, in violation of the codes of conduct in the Police and Criminal Evidence Act 1984 and Police Act 1997;
the “broad” rule that exhibits including documents need to be produced into court by a human witness who can
Having satisfied the admissibility criteria, the evidence can be considered then for weight of fact – its persuasiveness or
probative value. While in the final analysis ―weight‖ is a non-scientific concept, there are a number of desirable features in
non-testimonial evidence, that is, exhibits and documents of various kinds. These attributes include that an exhibit is:
authentic – specifically linked to the alleged circumstances and persons;
accurate – free from any reasonable doubt about the quality of procedures used to collect the material,
analyse it (if appropriate and necessary) and introduce it into court. It has to be produced by someone who
can explain what has been done. If a forensic method has been used it needs to be ―transparent‖, that is,
freely testable by a third-party expert. In the case of exhibits which themselves contain statements – a letter
or other document, for example – ―accuracy‖ must also encompass accuracy of content. This normally
requires the document’s originator to make a witness statement and be available for cross-examination;
complete – it tells within its own terms a complete story of particular set of circumstances or events.
Extensive explanations (only in case of forensic evidences)
Continuity of Evidence
a.k.a. ―chain of custody‖ in the US, continuity of evidence refers to the ability to report everything that has happened to an
item of evidence from the point at which it was acquired to when it is presented as an exhibit in court.
The process is designed to limit the opportunities for contamination or confusion, accidental or deliberate, or to pinpoint
when contamination occurred. But there are also other elements which set computer-derived evidence apart, as follows.
Computer data can be highly volatile, it can be changed or altered easily.
Much immediate computer evidence is not obviously readable by humans. Actual exhibits are often derived,
manipulated and ―presented‖ away from their point of origin
Specialists in digital forensics have to cope with an unparalleled rate of change but still strive to work to the same
standards of rigorous verification that are expected in the more traditional forensic disciplines.
If an information system which operates in the commercial domain cannot deliver legal reliability - it is not reliable.
Methods of achieving Reliability
• Auditing for Compliance / Certification
• Designing for Fail-safe
• Error Detection
• Error Correction
• Audit Trails
• Authentication – transaction
• Authentication – users
Though None of these methods provides absolute reliability: they appear to aim to produce sufficient reliability
Scientific vs Legal Proof
• Scientists aim to define general explanations – ―scientific laws‖
• In legal proceedings the aim is to decide on a construction of the facts which are relevant to a legal outcome
Legal Reliability is essentially:
• a practical function achieved by the use of: testing, auditing, certification, error detection/correction, audit trails,
authentication within a PKI
• an observable phenomenological function of how courts behave from which imperfect rules may be derived.
• contextual: reliability is sufficient against a purpose
What is computer forensics?
Computer Forensics is about looking for unintended digital material from which reliable conclusions may be drawn.
Computer forensic science is the science of acquiring, preserving, retrieving, and presenting data that has been
processed electronically and stored on computer media. As a forensic discipline, nothing since DNA technology has had
such a large potential effect on specific types of investigations and prosecutions as computer forensic science. (Noblett et
data from seized computers
audit trails / activity logs
monitoring activities within computers
monitoring networks and comms
Computer forensic science Vs other forensic sciences (Noblett et al, 2000)
• Computer forensic science, to be effective, must be driven by information uncovered during the investigation.
However other forensic science examination can be conducted without knowledge of the specific circumstances
of the crime.
• Unlike forensic DNA analysis or other forensic disciplines, computer forensic science makes no interpretive
statement as to the accuracy, reliability, or discriminating power of the actual data or information.
• Traditional forensic analysis can be controlled in the laboratory setting and can progress logically, incrementally,
and in concert with widely accepted forensic practices. In comparison, computer forensic science is almost
entirely technology and market driven, generally outside the laboratory setting, and the examinations present
unique variations in almost every situation.
• Computer forensic science, unlike some of its traditional forensic counterparts, cannot rely on receiving
similar evidence in every submission. The reasons are:
Operating systems, which define what a computer is and how it works, vary among manufacturers.
Applications programs are unique.
Storage methods may be unique to both the device and the media.
Challenges for computer forensic sciences: (Noblett et al, 2000)
• to develop methods and techniques that provide valid and reliable results while protecting the real evidence—the
• computer evidence almost never exists in isolation. It is a product of the data stored, the application used to
create and store it, and the computer system that directed these activities. To a lesser extent, it is also a product
of the software tools used in the laboratory to extract it.
• Emerging and changing environment
Model proposed (Noblett et al, 2000)
A three-level hierarchical model consisting of the following:
• An overarching concept of the principles of examination
large-scale concepts that almost always apply to the examination.
• Policies and practices,
good laboratory practices by which examinations are planned, performed, monitored, recorded, and reported to
ensure the quality and integrity of the work product.
• Procedures and techniques.
Detailed instructions for specific software packages as well as step-by-step instructions that describe the entire
examination procedure (Pollitt 1995).
Protocols (Noblett et al, 2000)
There is a need to develop laboratory protocols for computer forensic science that meet critical technological and legal
goals. Computer forensic scientists need to develop ongoing relationships with the criminal justice agencies they serve.
The reasons for these relationships include the following:
• In their efforts to minimize the amount of data that must be recovered and to make their examinations more efficient
and effective, computer forensic scientists must have specific knowledge of investigative details.
• to ensure that the technical resources necessary for the execution of the search warrant are sufficient to address both
the scope and complexity of the search.
• Computers may logically contain both information identified in the warrant as well as information that may be
constitutionally protected. The computer forensic scientist advises both the investigator and prosecutor as to how to
identify technical solutions to these intricate situations.
Intrusion Detection systems as evidence (Peter Sommer, 1999)
Although the main aim of IDSs is to detect intrusions to prompt evasive measures, a further aim can be to supply
evidence in criminal and civil legal proceedings. However the features that make a ID product good at providing early
warning may render it less useful as an evidence-acquisition tool. An explanation is provided of admissibility and weight,
the two determinants in the legal acceptability of evidence.
Problems with current IDS
Not designed to collect and protect the integrity of the type of information required to conduct law
There is a lack of guidance to employees as to how to respond to intrusions and capture the information
required to conduct a law enforcement investigation.
Gap between Purpose of IDS and need of legal systems
The gap exists not only at a purposive and functional level but also in philosophic approach, particularly in relation to
what the computer community on the one hand and the legal system on the other think constitutes ―proof‖. In practice
rather more is needed than ―guidelines and training manuals.
Types of IDSs and their outputs
Depending on the precise IDS, typical hoped-for outcomes can include:
• the ability to react in a timely fashion to prevent substantive damage – by automatic or manual intervention
• the ability to react in a timely fashion to mitigate substantive damage – by automatic or manual intervention
• the ability to identify activity which is the precursor of a more serious attack
• the ability to identify a perpetrator
• the ability to discover new attack patterns
• indirectly to provide an additional measure of system protection beyond that available from other forms of security
• and of course, evidence
Method Advantages / Disadvantages
Post-event Audit Trailing – from no possibility of immediate reaction but likely to produce useful anomaly detection which
library of signatures could lead to further action; depends on quality of library of signatures; however potentially
useless if audit trail compromised
Post-event Audit Trailing – by no possibility of immediate reaction but depending on volume of data and sophistication of eg
detecting unusual patterns: AI tools likely to produce useful anomaly detection, but also likely to produce false positives;
statistical anomaly detection potentially useless if audit trail compromised
Real-time monitoring of packets permits real-time alarm and thus evasive action; depends on quality of monitoring tool and
on the network link – against library of signatures, volume of data and location of monitoring point(s)
library of signatures
Real-time monitoring of packets permits real-time alarm and thus evasive action; depends on quality of monitoring tool,
on the network link – by volume of data and location of monitoring point(s); runs risk of false positives etc
detecting unusual patterns:
statistical anomaly detection
Real-time monitoring of activity permits real-time alarm and thus evasive action; but alarm may not sound early enough;
on host /network device- depends on quality of monitoring tool and library of signatures – otherwise potential for false
against library of signatures positives and negatives; problems of data volumes, compromise of overall system
performance; danger that host is compromised and with it monitoring tools / audit logs
Real-time monitoring of activity permits real-time alarm and thus evasive action; but alarm may not sound early enough;
on host /network device – by depends on quality of monitoring tool – otherwise potential for false positives and negatives;
detecting unusual patterns: problems of data volumes, compromise of overall system performance; danger that host is
statistical anomaly detection compromised and with it monitoring tools / audit logs; runs risk of false positives etc
Deficiencies of IDS logs
• make little immediate sense without training in the operation of the IDS tool and an understanding of the principles
upon which it operates
• lack sufficient detail
• may not exist over a sufficient time period for comparisons of normal and abnormal activity to be made
• may be incomplete for the relevant period of time
• in the case of real-time monitoring the monitoring tool may not be able to keep up with the stream of traffic with
which it is expected to deal
• in the case of real-time network monitoring the network location of the device hosting the monitoring tool may be
such that it is unable to capture all relevant traffic, some of the packets using other routes
• may not sufficiently distinguish between a legitimate and an unwanted access
• may not identify the perpetrator in any useful way
• may have been compromised
o prior to collection as potential evidence
o during collection as potential evidence
o during post-collection analysis
• in the case of derived data, the methods of analysis and subsequent presentation may lead to misleading results
Evidence in Practice
Most real-life proceedings are unlikely to be just about unwanted intrusions into computer systems.
As per Computer Misuse Act, 1990, before a conviction can be obtained, prosecutors need to demonstrate:
• that a computer was involved
• that it was accessed
• that such accessing was unauthorised
• that the person who is charged with the unauthorised access knew at the time that the access was unauthorised
Limit of IDS - The contribution an IDS can make to this prosecution only covers the first two items; indeed on some
readings the IDS can only address the second bullet point.
Re-designing IDSs as sources of Evidence
There are a number of useful conclusions that can be offered:
1. The earlier the warning is given the less likely it will provide details of the identity of the perpetrator. In terms of
the security aims of most organisations, prevention or evasion of attack is preferable to post-event legal remedy
or assisting law enforcement.
2. The carrying out of an investigation which leads to the identification of a perpetrator need not automatically result
in the production of evidence that is admissible and believable by a court.
3. Evidence acquisition is a separate but related exercise. It is best carried out against a checklist which identifies
the main problems of admissibility and where the main focus of the gatherer is court explanation and
4. Single streams of evidence are unlikely to be adequate to convince a court; what is required are multiple
independent streams of evidence which corroborate each other.
5. The feature that will link together these independent streams will usually be day-time clock data; some means of
synchronisation is thus necessary.
6. If logs are to be produced from IDS tools, a prosecutor must be prepared to disclose complete details of the tool,
and how it was configured and operated. In the case of network monitoring tools, the disclosure may have to
include details of the topography of the local net.
7. Logging evidence, along with anything else that has been generated by computer, will need to be formally
―produced‖ to court by the people intimately involved. Most jurisdictions have provision in their rules of evidence
for the production of the results of team work, but these need to be followed in detail.
8. In the case of evidence logging which is to take place on a putative target, arrangements need to be made to
prevent compromise during attack. It may be possible to do this within an OS on a single machine, but an
alternative arrangement would be to send, as soon as possible after each event is recorded, all logging
information to a separate, and cryptographically-protected security vault.
9. Logging evidence should always be ―best‖, that is, straight from the computer upon which it was created. Even if
the logs are subsequently processed in order to perform an analysis or make them easier to understand, the raw
log should always be available.
10. Where an exhibit is built from ―derived‖ data (as in a chart or spreadsheet) the raw data has to be available for
disclosure to the defence.
11. There needs to be a complete ―chain of custody‖ or ―continuity of evidence‖ from source to court. This can be
done by statement, entries in note-books and registers, and also by using computer technology to make
tampering more difficult: typically this can include the writing of logs to WORM media at an early stage (this
process itself should be properly recorded) or by using digital finger-printing.
12. Almost certainly the IDS market will be strengthened by the arrival of a range of procedures and products which
concentrate on evidence collection and preservation, as opposed to intrusion.
Standards and initiatives
ACPO The Good Practice Guide for Computer Based Evidence is available for download from http://www.nhtcu.org. It is fair
to say that its main focus is on disk forensics, PDAs and mobile phones as opposed to larger computers and networks
but there are some useful general principles, an overview of legal issues, a glossary and a list of UK police contact
US Department of The Computer Crime and Intellectual Property Section (CCIPS), Criminal Division, of the US Department of Justice
Justice provides a useful manual, available at: http://www.usdoj.gov/criminal/cybercrime/s&smanual2002.htm
Obviously, the description of the law is for US readers. The overall CCIPS site contains many documents, press releases
and links of considerable value to the researcher: http://www.usdoj.gov/criminal/cybercrime/
and contains references to the Council of Europe Cybercrime Treaty to which the UK is a signatory. There is also a
Guide for First Responders: http://www.iwar.org.uk/ecoespionage/resources/cybercrime/ecrime-scene-investigation.pdf
Council of Europe The Convention aims to harmonise definitions of cybercrime and procedures for warrants and evidence collection across
Convention on international jurisdictions. It provides significant guidance on evidential standards.
Scientific Working SWGDE was established in February 1998 through a collaborative effort of the Federal Crime Laboratory Directors.
Group on Digital As the US-based component of standardisation efforts conducted by the IOCE, SWGDE was charged with the
Evidence (SWGDE) development of cross-disciplinary guidelines and standards for the recovery, preservation and examination of digital
International evidence, including audio, imaging and electronic devices: http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.htm
Internet Request for Internet RFC 3227 provides the Guidelines for Evidence Collection and Archiving
Comments (RFC) (http://www.faqs.org/rfcs/rfc3227.html). RFCs are one very important way in which Internet protocols and good
practice are discussed and promulgated: http://www.ietf.org/rfc/rfc3227.txt
(Cyber Tools Online CTOSE is a research project funded by the European Commission.
Search for Its purpose is to gather available knowledge from different expert groups on all the processes involved in dealing with
Evidence) CTOSE electronic evidence and to create a methodolgy on how to deal with electronic evidence that might occur as a result of
disputed electronic transactions or other computer related and hi-tech crime: http://www.ctose.org/
ISO 17799 ISO 17799 is the International Standard for Information Security Management. It addresses many aspects of information
security and internal controls, but also stresses the need for formal incident response procedures and tools. These
procedures should cover:
analysis and identification of the cause of the incident;
planning and implementation or remedies to prevent recurrence, if necessary;
collection of audit trails and similar evidence;
communication with those affected by, or involved with, recovery from the incident;
reporting the action to the appropriate authority.
The organisation that has suffered a security incident must collect evidence properly for three purposes:
internal problem analysis;
use as evidence in relation to a potential breach of contract, breach or regulatory requirement or in the event of
civil or criminal proceedings, e.g. under computer misuse or data protection legislation;
negotiating for compensation from software and service suppliers.
ISO 15489/ International Standard on Records Management – standards for record-keeping in electronic form
British Standards http://www.iso.ch/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=31908&ICS1=1
Handbook of Legal 2005 Project to update the EC Handbook of Legislative Procedures of Computer and Network Misuse. It will include a
Procedures of confirmation and review of the existing information, as well as collection of legislative information relating to the
Computer and 10 new member states.
Network Misuse in http://www.csirt-handbook.org.uk